Escape regex metacharacters in siteApiNamespace before interpolating into RegExp

## Summary

In `src/utils/api-fetch.js`, `apiPathModifierMiddleware` interpolates `siteApiNamespace` values directly into `new RegExp()` without escaping regex metacharacters:

```js
const namespaceRegex = new RegExp( `(${ siteApiNamespace.join( '|' ) })` );
```

If a namespace contained characters like `.`, `+`, `(`, `)`, `*`, etc., they would be interpreted as regex syntax rather than matched literally.

## Risk

Low — `siteApiNamespace` comes from the native app bridge config (not user input), so exploitation requires a compromised host app. But it's a latent correctness bug: a namespace like `wp/v2.1` would match `wp/v2X` (`.` matches any character).

## Suggested fix

Escape each namespace before joining:

```js
const escaped = siteApiNamespace.map( ( ns ) =>
    ns.replace( /[.*+?^${}()|[\]\\]/g, '\\$&' )
);
const namespaceRegex = new RegExp( `(${ escaped.join( '|' ) })` );
```

Existing tests in `src/utils/api-fetch.test.js` pass with this change.

Found during adversarial code review of #TBD.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Escape regex metacharacters in siteApiNamespace before interpolating into RegExp #368

Summary

Risk

Suggested fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Escape regex metacharacters in siteApiNamespace before interpolating into RegExp #368

Description

Summary

Risk

Suggested fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions